Phone network TalkTalk has been fined £100,000 after it failed to look after its customers’ data and risked it falling into the hands of scammers.

It has been handed the penalty by the Information Commissioner’s Office, after an ICO investigation found TalkTalk breached the data protection act because it allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees.

The breach came to light in September 2014 when TalkTalk started getting complaints from customers that they were receiving scam calls. Typically, the scammers pretended they were providing support for technical problems. They quoted customers’ addresses and TalkTalk account numbers.

Read More

The investigation found the issue lay with a TalkTalk portal through which customer information could be accessed. One of the companies with access to the portal was Wipro, a multinational IT services company in India that resolved high level complaints and addressed network coverage problems on TalkTalk’s behalf.

A specialist investigation by TalkTalk identified three Wipro accounts that had been used to gain unauthorised and unlawful access to the personal data of up to 21,000 customers.

Information commissioner Elizabeth Denham said: “TalkTalk may consider themselves to be the victims here. But the real victims are the 21,000 people whose information was open to abuse by the malicious actions of a small number of people.

“TalkTalk should have known better and they should have put their customers first.”